JCU’s functions require the collection, creation, use and in some circumstances the disclosure of personal information about students, staff and other clients. The University is committed to protecting personal privacy and recognises that staff and students have a reasonable expectation that the University will protect and appropriately manage the personal information it holds about them.
JCU must comply with the requirements of the Information Privacy Act 2009 (Qld) (IP Act) which provides for the fair collection, management and handling of personal information. This Policy specifies the right of access to, and amendment of, personal information collected by the University as further detailed in JCU’s Information Privacy Statement and Collection Notice.
This policy applies to all University staff, affiliates, students, contractors and any other third party who collects or manages personal information on behalf of the University.
Except as otherwise specified in this policy, the meaning of terms used in this policy are as per the Policy Glossary:
Refers to a discretionary process that allows access to information, in full or in part, in certain types of administrative or operational records. Such records are generally released as a matter of course, in response to a request, without the need for a formal application under legislative authority such as the Right to Information Act (Qld) 2009 and Information Privacy Act (Qld) 2009.
Has the same meaning as the Cybersecurity Policy.
Has the same meaning as the ICT Acceptable Use Policy.
The wrong or improper use of Personal Information, done consciously and intentionally (on purpose). This includes un-authorised modification.
The Queensland Right to Information Act 2009 (RTI Act) defines a document as "a document, other than a document to which the RTI Act does not apply, in the possession, or under the control, of the University whether brought into existence or received in the University, and includes a document –
- to which the University is entitled to access; and
- in the possession, or under the control, of an officer of the University in the officer’s official capacity."
Documents may be in hard copy or electronic format and include files, reports, emails, correspondence, computer printouts, maps, plans, photographs, and audio and video recordings.
Inappropriate use means access to (and use of) personal information which is not appropriate to the individual’s role or function at the time, for example, viewing the health records of an individual out of interest.
The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), also referred to as the Notifiable Data Breaches (NDB) Scheme amends the Privacy Act 1988 (Cth) (the Commonwealth Privacy Act), and in the instances where the NDB Scheme applies to JCU, there is a mandatory requirement for JCU to notify the Commonwealth Privacy Commissioner and affected individuals of ‘eligible data breaches’. An eligible data breach occurs if:
- there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity;
- the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates; and
- the entity has not been able to prevent the likely risk of serious harm with remedial action.
Is as defined by the Information Privacy Act (Qld) 2009 (IP Act) as information or an opinion, including information or an opinion forming part of a database, whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. Personal information includes usernames, passwords and unique identifiers such as staff and student numbers. It can be recorded in any format including hard copy documents, electronic documents, databases, administrative systems, photographs and other images, and staff/student identity cards.
Personal information custodian
A University staff member who has responsibilities for the collection and management of Personal Information within the University. This may include records managers, student support and client services staff, HR staff and system administrators.
Is a complaint about an act or practice of JCU in relation to an individual’s personal information that is a breach of this policy or the IP Act or Privacy Act.
Has the same meaning as the JCU Cybersecurity Policy
Routine employment information
Is information that is solely and wholly related to the routine work duties and responsibilities of a staff member. This includes information such as a staff member's position title, JCU email address, work phone number, professional opinion given in professional capacity, authorship of documents, incidental appearances of a staff members name in work documents, information about qualifications held, or any information which is publicly available on the JCU website.
Means obtaining and exercising access to personal Information, for which they are not authorised (by role or function) to access.
Unique identifiers including student and staff numbers are used as the basis for recording a large amount of personal information. Other unique identifiers include payroll numbers, tax file numbers, credit card numbers and bank account details.
- The Information Privacy Act (Qld) 2009 (IP Act) provides individuals with a legally enforceable right of access to, and amendment of, their own personal information held by the University, unless this would, on balance, be contrary to the public interest. James Cook University is defined as a public authority under the IP Act and is therefore subject to the requirements of the Act.
- Requests for non-personal information or for the personal information of others are dealt with under the terms of the Queensland Right to Information Act 2009, as outlined in the University's Right to Information Policy.
- JCU is also subject to the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), also referred to as the Notifiable Data Breaches (NDB) Scheme which amends the Commonwealth’s Privacy Act 1988, in the following circumstances:
- where JCU receives and otherwise handles tax file numbers of staff, students or any other person;
- where JCU enters into agreements with the Commonwealth Government and the terms of those agreements require JCU to be bound by the Commonwealth Privacy Act (e.g. research agreements, funding agreements);
- where JCU retains data under the Telecommunications (Interception and Access) Act 1979, as this data is personal information for the purposes of the Commonwealth Privacy Act; and
- where JCU handles personal information of a student under the Higher Education Support Act 2003 (Cth), as this data is personal information for the purposes of the Commonwealth Privacy Act.
- Collection and Management of Personal Information
- This policy applies to the collection, use, storage, transfer, handling, right of access, and amendment of personal information at JCU.
- It does not apply to:
- routine employment information of staff;
- personal information which is maintained on a public register;
- information recorded in a de-identified way which cannot be linked (or re-linked) to a known individual;
- personal information which is already available in a publication or other publicly available document; or
- information which is generally available.
- JCU collects personal information to enable it to function effectively. Any personal information collected by the University is managed in accordance with the eleven Information Privacy Principles (IPPs) as set out in the IP Act.
- JCU is committed to an open environment which enables the general public, students and staff to access University documents that contain their own personal information without the need to make a formal IP Act request. In certain circumstances the University will release information administratively.
- JCU collects many types of personal information including student and employment records and as detailed in JCU’s Information Privacy Statement and Collection Notice available on the website which may change from time-to-time according to University requirements.
- Day-to-day access to the personal information of others is restricted to staff in the organisational unit that requires access e.g. Human Resources staff have access to employment records (role based access).
- Personal information will also be used to assist in the provision of activities and services including education and research and as set out in JCU’s Information Privacy Statement and Collection Notice available on the website.
- JCU may in certain circumstances transfer personal information interstate or overseas e.g. information may be transferred off-shore for storage by contracted IT service providers. Where JCU transfers personal information interstate or overseas it will:
- comply with those provisions of the IP Act and/or Privacy Act (where applicable) that relate to transborder data flows; and
- take all reasonable steps to ensure that third party service providers do not use or disclose transferred personal information for a purpose other than that for which it was collected by JCU. JCU will do this primarily by entering into legally binding contracts with service providers which require compliance with the Information Privacy Principles contained in the IP Act and/or Privacy Act (where applicable).
- Release of Personal Information
- The University has in place mechanisms and normal administrative practices to handle routine requests for access to information such as academic transcripts, or for alterations to information such as changes of address.
- Individuals wishing to obtain access to, or amend, information about themselves, should contact the relevant officer in the area in which the information is held or the Privacy Officer, Secretariat, James Cook University, Townsville QLD 4811 using the form at the JCU website as per the Requests for Access to Personal Information Procedure.
- The personal information of staff and students will not be released without their written consent except in certain circumstances detailed in the procedure.
- The IP Act and/or Privacy Act provides that access to certain documents or to certain information contained in documents may be refused in order to protect public interests or the private or business affairs of others. A request to obtain access to documents which contain information about the private affairs of others will usually be refused.
- The University may also refuse access to documents on the grounds that there would be a substantial and unreasonable workload in identifying, locating and collating the volume of documents in question.
- If a request for access or amendment is refused, the University will give specific written reasons for the decision and advise the applicant of their rights to appeal against the decision.
- Roles and Responsibilities
- Vice Chancellor. The Vice Chancellor is the 'principal officer' under the Information Privacy Act (Qld) 2009, and has overall responsibility for JCU’s obligations under the Act.
- Chief of Staff. The Chief of Staff oversees implementation of privacy management across the University, and approves privacy protocols, guidelines and mandatory training arrangements.
- University Secretary. As the Internal Review Officer, the University Secretary is responsible for the internal review of decisions made by the Deputy University Secretary, if requested by the applicant (refer to Requests for Access to Personal Information Procedure).
- Deputy University Secretary. The Vice Chancellor has delegated the responsibility for determining the outcome of IP Act applications to the Deputy University Secretary, acts as the JCU Privacy Officer and administers the IP Act on behalf of JCU including:
- making initial decisions on access and amendment applications under the IP Act ;
- liaise with both prospective applicants and University units regarding access to documents;
- advising staff in the University's privacy obligations;
- providing advice on privacy issues; and
- coordination of the University's investigation and response to privacy complaints.
- Heads of organisational units. Heads of organisational units are responsible for managing privacy risk in the organisational unit and implementing business processes consistent with the IP Act. They are also responsible for ensuring compliance with information requests by locating information held in their areas. If information cannot be located, a written explanation of what action was taken to locate the information is to be provided to the Deputy University Secretary.
- Data custodians. Personal Information (PI) Custodian. PI Custodians are responsible for:
- Implementing reasonably practical security measures to protect privacy of personal information in information systems;
- Determining user access levels which must be consistent with privacy requirements; and
- Implementing appropriate mechanisms to revoke access to systems containing personal information, when access is no longer appropriate, for instance, in the case of a change in position or formal responsibilities, or termination of employment.
- Privacy Information Users. Users are Authorised Users with access to Personal Information, and are responsible for following University instructions (including policies, procedures and guidelines) for the protection of Personal Information.
- University Staff. Only access personal information where this is necessary for work purposes. Personal information must be protected against loss, unauthorised access or modification, disclosure or misuse and managed in accordance with University policy and procedures. If a staff member becomes aware of a suspected data breach, they are to contact the Information Privacy Officer as soon as possible with as much information as is available. All staff are to undertake required privacy training and comply with the requirements of the IP Act, this policy and all procedures and privacy protocols issued under the policy.
- Access and security of personal information
- Access and security safeguards are important ways of protecting personal privacy. Access to personal information is granted to staff only where this is necessary for work purposes and staff must only access personal information if there is a work related reason for this. Personal information must be protected against loss, unauthorised access or modification, disclosure or misuse.
- Deliberate Misuse, Unauthorised Access or Inappropriate Access by Privacy Information Users is prohibited.
- Prohibition on disclosure of personal information
- Staff must not disclose personal information to individuals or organisations outside the University. Disclosure refers to release of personal information to another entity (e.g. a body, agency or person separate from the University) where JCU will cease to have effective control of the information once it is released.
- There are some limited circumstances in which personal information may be disclosed without breaching personal privacy. These circumstances are set out in JCU’s Information Privacy Statement and Collection Notice available on the website.
- Detailed Privacy guidelines are also available on the JCU website setting out the considerations and procedures for disclosure of personal information in these circumstances are available and must be followed. Disclosing personal information in other situations must only occur following confirmation from the Privacy Officer that disclosure is necessary and acceptable under other limited provisions in the IP Act.
- Privacy complaints
- If an individual believes that JCU has not dealt with their personal information in accordance with the IP Act or this policy, they may make a complaint. A complaint must be made in writing or by email to the Privacy Officer or referred to that officer if received by another area of the University.
- Primary responsibility for investigating and responding to the complaint will rest with the head of the organisational unit concerned, with advice from the Privacy Officer as required. The University's main objective in responding to privacy complaints is to conciliate an outcome which is acceptable to the complainant and which addresses any broader or systemic privacy issues which may arise.
- If a complainant does not agree with the University's response, an internal review process is available or a complainant may refer the matter for independent mediation by the Office of the Information Commissioner.
- Privacy breach management
- The head of the relevant organisational unit must report any privacy breaches to the Privacy Officer as soon as practicable after the breach has been identified.
- Management of a privacy breach will include steps to:
- contain the breach;
- evaluate the associated risks;
- consider notifying the affected individuals; and
- prevention of any further privacy breach.
- The Chief of Staff must be informed of serious breaches of this policy and any actions arising out of any investigations into a breach as per the Incident Management Policy and Procedures.
- For a Notifiable Breach as per section 1c), the University is obligated to inform the Australian Information Commissioner and particular individuals about eligible data breaches in accordance with the Personal Information – Data Breach Procedure.
- Policy Breach
- Policy breaches must be reported to the Privacy Officer as soon as practicable.
- A Policy breach that alleges Deliberate Misuse, Unauthorised Access or Inappropriate Access to personal information by an University Staff Member may be grounds for misconduct/serious misconduct and may result in disciplinary action, as prescribed by the Enterprise Agreement as amended or replaced from time to time.
- Unauthorised Access or Inappropriate Access to University personal information, attained from the result of system testing (i.e. penetration testing) of system security controls is not considered a Policy Breach, providing that system testing is sanctioned by the Director, Information Communication and Technology or the Head of Organisational Unit with direct responsibility for the system storing the personal information.
Related policy instruments
Related documents and legislation
Date for next review
Major review and amendments to reflect current legislation and separate procedural content.
Chief of Staff
Minor amendments – updated to reflect changes in job title (from Manager to Deputy Director) and the fact that Information Privacy is dealt with solely by the Governance Support Unit
11 - 1
Information, privacy, personal information, data breach